View Single Post
  #1   (View Single Post)  
Old 12th December 2015
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
Join Date: Dec 2015
Location: London
Posts: 335
Default Secure Boot and OpenBSD

This guide only applies to systems installed and booting in UEFI mode.

This guide applies to amd64 machines, for i386 systems replace "bootx64.efi" with "bootia32.efi"

Follow the advice in this link to install a UEFI system:

It is possible to boot OpenBSD with Secure Boot enabled by using the Linux Foundation's PreLoader & HashTool utilities.

To implement this method, download the PreLoader.efi and HashTool.efi from here:

Then rename the OpenBSD UEFI bootloader to "loader.efi":
# mount /dev/sd0i /mnt
# mv /mnt/efi/boot/BOOTX64.EFI /mnt/efi/boot/loader.efi
(this presumes that the EFI system partition is located at /dev/sd0i -- adjust if necessary)

Then copy over HashTool.efi & PreLoader.efi and rename the latter as the default UEFI loader:
# cp HashTool.efi /mnt/efi/boot
# cp PreLoader.efi /mnt/efi/boot/bootx64.efi
Now reboot the machine and enable Secure Boot.

When the system starts the PreLoader will detect an unauthorised image (the OpenBSD bootloader) and will offer to start the HashTool so that the loader.efi can be authorised.

Use the menu options in the HashTool to enrol the loader.efi and reboot again.


More information here:

To revert the system, simply copy loader.efi back to bootx64.efi

Note that whenever the base system is upgraded, the bootloader should be copied back:
# mount /dev/sd0i /mnt
# cp /usr/mdec/BOOTX64.EFI /mnt/efi/boot/loader.efi
When the system is rebooted, the HashTool should load up again to enrol the new loader.efi

Last edited by Head_on_a_Stick; 14th December 2015 at 10:05 PM. Reason: Added architecture-specific information
Reply With Quote